Page cover

System Hardening

System Hardening

AppArmor

AppArmor is a layer of security that sits between applications and our system filesystem, proceeses and networks.

We can do profiles for the applications we wanna apply AppArmor on.

We can create profiles for firefox, kubernetes, kubelet etc...

Types of profiles

Main commands

Setup simple AppArmor profile for curl

We can run aa-genprof curl to generate a profile for curl, then we can check if its added by going to /etc/apparmor.d/ or running aa-status.

We can use aa-logprof which checks the logs and update our profil according to the logs.

Nginx docker container uses AppArmor profile

We can apply an apparmor profile definition using apparmor_parser --add <path-of-profile> and we got it from https://kubernetes.io/docs/tutorials/security/apparmor/.

We have a pre-created profile called docker-nginx so we will apply it, this profile restricts some stuff as shown below and we can confirm its added by running aa-status

Then to test our new profile we can create an nginx container that uses our profile docker run --security-opt apparmor=docker-nginx -d nginx and then docker exec -it <container-id> sh.

The name of the profile isn't the name of the file, but its the name specified inside the file.

Create pod which uses an AppArmor profile

https://kubernetes.io/docs/tutorials/security/apparmor/

Prior to v1.30, this was created using annotations.

Seccomp

Create nginx pod in kubernetes and assign a seccomp profile to it

https://kubernetes.io/docs/tutorials/security/seccomp/

We have a pre-created seccomp configuration, we will add it to /var/lib/kubelet/seccomp/profiles/default.json on the worker node.

Now, we create a pod and add the profile path.

We can exec and it works!

Now, we will remove write syscall from the seccomp default.json profile and see what happens.

Error: failed to start containerd task "seccomp-pod": OCI runtime start failed: cannot start an already running container: unknown

It is not working as the container can't write and create the nginx service!

Minimize OS Footprint

Running netstat -plnt | grep 22 or lsof -i :22 to check for ssh listening connections and open ports.

Last updated